crypto/ed25519,crypto/rsa: make Equal methods constant time

FiloSottile · gopherbot · commit bf8571c5d6ce · 2023-05-17T14:48:13.000Z
Fixes #53849 Updates #57752 Change-Id: I055564f31a47c79565b82bf9844fcf626989b295 Reviewed-on: https://go-review.googlesource.com/c/go/+/492955 Auto-Submit: Russ Cox <rsc@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> Reviewed-by: Russ Cox <rsc@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/src/crypto/ed25519/ed25519.go b/src/crypto/ed25519/ed25519.go
@@ -18,6 +18,7 @@ import (
 	"crypto/internal/edwards25519"
 	cryptorand "crypto/rand"
 	"crypto/sha512"
+	"crypto/subtle"
 	"errors"
 	"io"
 	"strconv"
@@ -46,7 +47,7 @@ func (pub PublicKey) Equal(x crypto.PublicKey) bool {
 	if !ok {
 		return false
 	}
-	return bytes.Equal(pub, xx)
+	return subtle.ConstantTimeCompare(pub, xx) == 1
 }
 
 // PrivateKey is the type of Ed25519 private keys. It implements [crypto.Signer].
@@ -65,7 +66,7 @@ func (priv PrivateKey) Equal(x crypto.PrivateKey) bool {
 	if !ok {
 		return false
 	}
-	return bytes.Equal(priv, xx)
+	return subtle.ConstantTimeCompare(priv, xx) == 1
 }
 
 // Seed returns the private key seed corresponding to priv. It is provided for
diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go
@@ -64,7 +64,7 @@ func (pub *PublicKey) Equal(x crypto.PublicKey) bool {
 	if !ok {
 		return false
 	}
-	return pub.N.Cmp(xx.N) == 0 && pub.E == xx.E
+	return bigIntEqual(pub.N, xx.N) && pub.E == xx.E
 }
 
 // OAEPOptions is an interface for passing options to OAEP decryption using the
@@ -130,20 +130,26 @@ func (priv *PrivateKey) Equal(x crypto.PrivateKey) bool {
 	if !ok {
 		return false
 	}
-	if !priv.PublicKey.Equal(&xx.PublicKey) || priv.D.Cmp(xx.D) != 0 {
+	if !priv.PublicKey.Equal(&xx.PublicKey) || !bigIntEqual(priv.D, xx.D) {
 		return false
 	}
 	if len(priv.Primes) != len(xx.Primes) {
 		return false
 	}
 	for i := range priv.Primes {
-		if priv.Primes[i].Cmp(xx.Primes[i]) != 0 {
+		if !bigIntEqual(priv.Primes[i], xx.Primes[i]) {
 			return false
 		}
 	}
 	return true
 }
 
+// bigIntEqual reports whether a and b are equal leaking only their bit length
+// through timing side-channels.
+func bigIntEqual(a, b *big.Int) bool {
+	return subtle.ConstantTimeCompare(a.Bytes(), b.Bytes()) == 1
+}
+
 // Sign signs digest with priv, reading randomness from rand. If opts is a
 // *PSSOptions then the PSS algorithm will be used, otherwise PKCS #1 v1.5 will
 // be used. digest must be the result of hashing the input message using

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ import (`
`18`	`18`	`"crypto/internal/edwards25519"`
`19`	`19`	`cryptorand "crypto/rand"`
`20`	`20`	`"crypto/sha512"`
	`21`	`+ "crypto/subtle"`
`21`	`22`	`"errors"`
`22`	`23`	`"io"`
`23`	`24`	`"strconv"`
`@@ -46,7 +47,7 @@ func (pub PublicKey) Equal(x crypto.PublicKey) bool {`
`46`	`47`	`if !ok {`
`47`	`48`	`return false`
`48`	`49`	`}`
`49`		`- return bytes.Equal(pub, xx)`
	`50`	`+ return subtle.ConstantTimeCompare(pub, xx) == 1`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`// PrivateKey is the type of Ed25519 private keys. It implements [crypto.Signer].`
`@@ -65,7 +66,7 @@ func (priv PrivateKey) Equal(x crypto.PrivateKey) bool {`
`65`	`66`	`if !ok {`
`66`	`67`	`return false`
`67`	`68`	`}`
`68`		`- return bytes.Equal(priv, xx)`
	`69`	`+ return subtle.ConstantTimeCompare(priv, xx) == 1`
`69`	`70`	`}`
`70`	`71`
`71`	`72`	`// Seed returns the private key seed corresponding to priv. It is provided for`
Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ func (pub *PublicKey) Equal(x crypto.PublicKey) bool {`
`64`	`64`	`if !ok {`
`65`	`65`	`return false`
`66`	`66`	`}`
`67`		`- return pub.N.Cmp(xx.N) == 0 && pub.E == xx.E`
	`67`	`+ return bigIntEqual(pub.N, xx.N) && pub.E == xx.E`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`// OAEPOptions is an interface for passing options to OAEP decryption using the`
`@@ -130,20 +130,26 @@ func (priv *PrivateKey) Equal(x crypto.PrivateKey) bool {`
`130`	`130`	`if !ok {`
`131`	`131`	`return false`
`132`	`132`	`}`
`133`		`- if !priv.PublicKey.Equal(&xx.PublicKey) \|\| priv.D.Cmp(xx.D) != 0 {`
	`133`	`+ if !priv.PublicKey.Equal(&xx.PublicKey) \|\| !bigIntEqual(priv.D, xx.D) {`
`134`	`134`	`return false`
`135`	`135`	`}`
`136`	`136`	`if len(priv.Primes) != len(xx.Primes) {`
`137`	`137`	`return false`
`138`	`138`	`}`
`139`	`139`	`for i := range priv.Primes {`
`140`		`- if priv.Primes[i].Cmp(xx.Primes[i]) != 0 {`
	`140`	`+ if !bigIntEqual(priv.Primes[i], xx.Primes[i]) {`
`141`	`141`	`return false`
`142`	`142`	`}`
`143`	`143`	`}`
`144`	`144`	`return true`
`145`	`145`	`}`
`146`	`146`
	`147`	`+// bigIntEqual reports whether a and b are equal leaking only their bit length`
	`148`	`+// through timing side-channels.`
	`149`	`+func bigIntEqual(a, b *big.Int) bool {`
	`150`	`+ return subtle.ConstantTimeCompare(a.Bytes(), b.Bytes()) == 1`
	`151`	`+}`
	`152`	`+`
`147`	`153`	`// Sign signs digest with priv, reading randomness from rand. If opts is a`
`148`	`154`	`// *PSSOptions then the PSS algorithm will be used, otherwise PKCS #1 v1.5 will`
`149`	`155`	`// be used. digest must be the result of hashing the input message using`